ID Sequence Analysis for Intrusion Detection in the CAN bus using Long Short Term Memory Networks

Desta, Araya Kibrom; Ohira, Shuji; Arai, Ismail; Fujikawa, Kazutoshi

doi:10.1109/percomworkshops48775.2020.9156250

Cited by 25 publications

(18 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For comparison with the performance of other existing methods, the GAN-based method proposed in [3] and the LSTM-based prediction method proposed in [6] were se- As expected, the AUC performance of the proposed method is improved compared to the other methods. In particular, compared to the unidirectional GPT model, the proposed model combining GPT networks in both the forward and backward directions can achieve higher performance with the same degree of complexity.…”

Section: Performance Comparisonsmentioning

confidence: 65%

“…Reference [6] proposed a method of detecting attacks using a forward-direction prediction technique based on an LSTM network. Specifically, it predicts the log probability of the CAN ID appearing immediately after a given CAN ID sequence.…”

Section: Related Workmentioning

confidence: 99%

“…Specifically, an arbitrary electrical control unit (ECU) can broadcast a CAN data frame containing a CAN identifier (ID) and a message from any device connected to the bus [1]. As attacks against CAN bus communication have become more advanced and intelligent, increasingly sophisticated defense techniques against them have been proposed [2]- [6]. Existing methods detect the pattern changes caused by an attack after learning the normal pattern of a CAN ID sequence, which is composed of CAN IDs extracted only from CAN data frames.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Intrusion Detection Method Using Bi-Directional GPT for in-Vehicle Controller Area Networks

Nam

Park

Kim³

2021

IEEE Access

View full text Add to dashboard Cite

The controller area network (CAN) bus protocol is exposed to threats from various attacks because it is designed without consideration of security. In a normal vehicle operation situation, controllers connected to a CAN bus transmit periodic and nonperiodic signals. Thus, if a CAN identifier (ID) sequence is configured by collecting the identifiers of CAN signals in their order of occurrence, it will have a certain pattern. However, if only a very small number of attack IDs are included in a CAN ID sequence, it will be difficult to detect the corresponding pattern change. Thus, a detection method that is different from the conventional one is required to detect such attacks. Since a CAN ID sequence can be regarded as a sentence consisting of words in the form of CAN IDs, a Generative Pre-trained Transformer (GPT) model can learn the pattern of a normal CAN ID sequence. Therefore, such a model is expected to be able to detect CAN ID sequences that contain a very small number of attack IDs better than the existing long short-term memory (LSTM)-based method. In this paper, we propose an intrusion detection model that combines two GPT networks in a bidirectional manner to allow both past and future CAN IDs (relative to the time of detection) to be used. The proposed model was trained to minimize the negative log-likelihood (NLL) value of the bidirectional GPT network for a normal sequence. When the NLL value for a CAN ID sequence is larger than a prespecified threshold, it is deemed an intrusion. The proposed model outperforms a single unidirectional GPT model with the same degree of complexity as well as other existing LSTM-based models because the bidirectional structure of the proposed model maintains the same estimation performance for most of CAN IDs regardless of their positions in the sequence.

show abstract

Section: Performance Comparisonsmentioning

confidence: 65%

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Intrusion Detection Method Using Bi-Directional GPT for in-Vehicle Controller Area Networks

Nam

Park

Kim³

2021

IEEE Access

View full text Add to dashboard Cite

show abstract

“…Taylor, Leblanc, and Japkowicz [12] use Long Short-Term Memory (LSTM) networks to detect sequential anomalies in CAN data, however their approach results in higher than acceptable false positive rate. Desta, et al [13] propose an LSTM network to predict the next CAN arbitration ID and compare it with the actual arbitration ID, however their proposed scheme is vulnerable to replay attacks. A basic LSTM network was used to classify CAN frames as normal frames or attack frames in [14].…”

Section: Background and Related Workmentioning

confidence: 99%

“…A number is assigned to each CAN variable and a letter is assigned to each operation. An example rule is 0 13 a which represents the correlation (a) between brake position (0) and fuel pressure (13). The above properties ensure that the graph has a minimum number of vertices and a minimum radius.…”

Section: B Rulesmentioning

confidence: 99%

Design of Anomaly Detection Functions for Controller Area Networks

Tanksale

2021

IEEE Open J. Intell. Transp. Syst.

View full text Add to dashboard Cite

Vehicles are becoming increasingly autonomous and connected, leading to an increase in the types of security threats to vehicles. Controller Area Network (CAN) is a serial bus system that is used to connect sensors and controllers (Electronic Control Units -ECUs) within a vehicle. ECUs vary widely in processing power, storage, memory, and connectivity. There is a need for efficient security countermeasures for protecting the CAN from various attacks. In this paper, we present a novel process to efficiently design functions that can be used for anomaly detection. Our earlier work successfully demonstrated the use of Long Short-Term Memory (LSTM) Networks to perform anomaly detection. This paper focuses on the efficient design and testing of functions that are attack-resistant and can be used in our anomaly detection engine. Once trained, our system is capable of efficiently detecting anomalies in real-time. We report the results of our anomaly detection function design process. We also present the results of our overall anomaly detection engine that are used as inputs to our detection engine. Our function design process and anomaly detection engine have been tested on data from real automobiles. We present the results of our experiments and analyze our findings.

show abstract

Temporal Logic-Based Intrusion Detection for Securing Connected Vehicles

Bozdal

2024

Lecture Notes in Networks and Systems

View full text Add to dashboard Cite

ID Sequence Analysis for Intrusion Detection in the CAN bus using Long Short Term Memory Networks

Cited by 25 publications

References 17 publications

Intrusion Detection Method Using Bi-Directional GPT for in-Vehicle Controller Area Networks

Intrusion Detection Method Using Bi-Directional GPT for in-Vehicle Controller Area Networks

Design of Anomaly Detection Functions for Controller Area Networks

Temporal Logic-Based Intrusion Detection for Securing Connected Vehicles

Contact Info

Product

Resources

About